|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: browser security
From: Andreas Bartelt (obsd
bartula.de)
Date: Wed Dec 14 2005 - 20:02:42 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
James Strandboge wrote:
...
>>While we're at systrace, I was wondering - could systrace reduce the risks
>>associated with running apache with PHP?
>
>
> Default apache is already chrooted, so systracing it won't be as much of
> a win as systracing processes not in a chroot. That said, you can
> definitely add another layer and protect your apache chroot area by
> systracing it, sure. chrooting and/or systracing every internet facing
> server is not a bad idea at all.
>
Apache forks children with reduced priviledges (user www) while, at the
same time, there's always an Apache process running as root. Therefore,
a useful systrace policy for Apache probably won't be easy to write.
regards,
Andreas
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]